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Author's Abstract 

Lamport recently invented a temporal logic of actions suitable for expressing 
concurrent programs and for reasoning about their computations. In this 
logic, actions have syntactic representations, which can be combined and 
analyzed. The basic construct for relating actions and computations is [ ]; a 
computation satisfies the formula [A] if either the computation has halted or 
the first action in the computation is an A action. In addition, the language 
includes the temporal operators □ ("always") and O ("eventually"), and 
thus it is easy to write both safety and liveness formulas. 

However, the temporal logic of actions is not very expressive in some re- 
spects (just expressive enough). One cannot define the "next" and the "un- 
til" operators of many previous temporal logics. This is actually a feature, 
in that formulas with "until" are too often incomprehensible, and "next" 
violates the important principle of invariance under stuttering. 

A proof system for the logic of actions might be obtained by translating 
into previous, richer formalisms. In this translation we forfeit the logic and 
its advantages. A new suit of rules for temporal reasoning with actions is 
therefore wanted. A complete axiomatization can provide some guidance in 
choosing and understanding the rules used in practice, and in particular the 
laws for reasoning about programs. 

In this paper, we study a proof system for a propositional logic, PTLA. 
After an informal introduction, we define the syntax and semantics of PTLA 
precisely, and then present our proof system and prove its completeness. 
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1 Introduction 



Lamport recently invented a temporal logic of actions suitable for expressing 
concurrent programs and for reasoning about their computations [Lam90]. 
In this logic, actions have syntactic representations, which can be combined 
and analyzed. Lamport views an action as a state transition, and a com- 
putation as a sequence of states. The basic construct for relating actions 
and computations is [ ]; a computation satisfies the formula [A] if either the 
computation has halted or the first action in the computation is an A action. 
The dual notation is (A), which means that the computation has not halted 
and that the first action is an A action. (Notice that [A] and (A) are formu- 
las, and not modalities as in dynamic logic [Pra76] and in Hennessy-Milner 
logic [HM85].) In addition, the language includes the temporal operators □ 
("always") and O ("eventually"), and thus it is easy to write both safety 
and liveness properties [Pnu77]. 

However, the temporal logic of actions is not very expressive in some 
respects (just expressive enough). One cannot define the "next" and the 
"until" operators of many previous temporal logics [Pnu81]. This is actually 
deliberate; formulas with nested occurrences of "until" are too often incom- 
prehensible, and "next" violates the principle of invariance under stuttering, 
which is important for hierarchical and compositional reasoning [Lam89]. 

A proof system for the logic of actions might be obtained by translating 
into previous, richer formalisms. In this translation we forfeit the logic and 
two of its main advantages, understandable formulas and the possibility of 
reducing many arguments to simple calculations on actions. A new suit of 
rules for temporal reasoning with actions is therefore wanted. A complete 
axiomatization can provide some guidance in choosing and understanding 
the rules used in practice, and in particular the laws for reasoning about 
programs. (A decision procedure is less often helpful in this respect.) 

At least two kinds of complete proof systems are possible: a propositional 
system and a first-order system. (In the first-order case, one can hope only 
for relative or nonstandard completeness results, of course.) In this paper, 
we study a proof system for a propositional temporal logic of actions, PTLA. 
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In the next section, we introduce the logic of actions through an example 
and discuss the underlying model very informally. We give precise definitions 
of the syntax and semantics of PTLA in Section 3. In Section 4, we present 
our proof system and prove its completeness. 

2 An Example 

In this example, we use the logic of actions for describing a trivial com- 
plete program with two processes. Process S repeatedly sends a boolean to 
process R and then waits for a signal; process R repeatedly receives a value 
from process S and then signals. 

In a CSP-like notation, this program is: 

[S :: * [[Rl true □ Rl false] ; Rl ANY]] || [R :: * [S ? x ; S ! ANY] ] 

(Here ANY is used as in Occam, for synchronization without message- 
passing [INM84] 1 .) 

We take a program, such as this one, to denote the set of behaviors that 
it generates. In the logic of actions, a behavior is a sequence of states. It 
may help to view a state as a snapshot of a device that executes the program. 
All that matters is that each program variable has a value at each state. 

Formally, behaviors are described in terms of actions. An action is a 
binary relation on program states. Intuitively, an action is the set of all 
pairs of states s and / such that the action can change the state from s to /; 
an action is enabled in s if it can change the state from s to / for some /. A 
predicate on primed and unprimed program variables expresses an action. 
For example, the action that negates the value of a variable y may be written 
y' = ->y (or, equivalently, y = ->y' , or (y A ->y') V (->y A y'))', y' represents the 
value of y after the action. 

In the semantics, then, states are primitive, and actions are not; this 
presents advantages and disadvantages in comparison with models with 
primitive actions. At any rate, the two approaches are valid, and they can 
provide the same sort of information (as one can translate between sequences 
of states and sequences of events). The properties of programs discussed in 
the logic of actions are interesting in either model. 

Coming back to our example, we start the formal description of the 
program by listing its variables. In addition to the variable x, the program 

1 Occam is a trade mark of the INMOS Group of Companies. 
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has two implicit control variables Is and Ir, one for each process; a device 
executing the program would keep track of the values of these three variables. 
The boolean Is is true when control is at the send command in process S , 
and false when control is at the receive command in process S. The boolean 
Ir is true when control is at the receive command in process R, and false 
when control is at the send command in process R. Thus, a state should 
assign values to x, Is, and Ir. 

Next we define an action for each communication event. The sending of 
true can change a state where Is and Ir hold to a state where -1/5, ->Ir, and 
x hold. Hence, for the sending of true, we write: 2 

A t = l s A -n/5 A l R A -^l' R A x' 

A similar formula expresses the sending of false: 

A f = l s A ->l' s A l R A ~^l' R A -V 

The nondeterministic composition of these two actions is represented as a 
disjunction: 

A = A t V A f 

The other basic action of the program is the acknowledgement: 

Ack = -./ 5 A I's A ~^l R Mr A (V = x) 

Thanks to the use of control variables, disjunction represents sequential com- 
position, in addition to nondeterministic composition. 3 Thus, the sequential 
composition of A and Ack is represented as a disjunction: 

N = Ay Ack 

The action N is the next-state relation of the complete program. A compu- 
tation of the program, started from an arbitrary state, satisfies d[iV]. 

The program is enabled (that is, it can make progress) only when Is and 
Ir have the same value. We define: 

Enabled(N) = (l s = l R ) 
2 The symbol = means equals by definition. 

3 In Lamport's interleaving model, the action that corresponds to the parallel compo- 
sition of two processes is the union of the actions that correspond to the processes, so 
disjunction represents parallel composition as well. 
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The formula □[iV] allows some computations that are immediately dead- 
locked, when started in a state where Enabled(N) does not hold. To restrict 
attention to the computations that start from the expected initial states, we 
define the predicate Init: 

Init = Is A Ir 

A computation satisfies Init A 0[N] if it is a computation of the program 
that starts in a state where Init holds. One can prove formally that none of 
these computations deadlocks: 

Init A n[N] UEnabled(N) 

It is still possible for a computation that satisfies Init and □[iV] to halt, 
because we have not yet made liveness assumptions (both Init and □[iV] 
are safety formulas). The assumption of weak fairness for N suffices to 
guarantee continued progress. Weak fairness for N says that if N is always 
enabled after a certain point then eventually N takes place: 

WF(iV) = 0(OEnabled(N) O(N)) 

The desired progress property follows: 

(Init A 0[N] A WF(iV)) => (DO/r A DO-i/r A DO/s A nO->l s ) 

A further requirement is that true and false are chosen fairly. Strong 
fairness for A t says that if the transmission of true is enabled infinitely often 
(that is, Is Mr holds infinitely often), then the transmission of true happens 
eventually. Hence we set: 

Enabled(A t ) = Is A Ir 

SF(A t ) = a(aOEnabled(A t ) =}► 0(A t )) 

and strong fairness for Af is written similarly: 

Enabled( Af ) = Is h Ir 

SF(Af) = n(nO Enabled(Af) 0(A f )) 

Under these strong-fairness assumptions, the program guarantees that the 
value of x is infinitely often true and infinitely often false: 

(Init A n[N] A WF(N) A SF(A t ) A SF(A/)) (nOx A nO^x) 
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In introducing the logic through this example we have only exercised the 
notation, and not reasoned within it formally. The traditional approaches 
to safety and liveness verification are adequate for proving the properties 
that we have claimed in the example. Lamport has formalized these tra- 
ditional approaches within the logic, and has exploited them in the study 
of moderately substantial algorithms (in particular with the general logic, 
mentioned in Section 5). 

3 The Syntax and Semantics of PTLA 

In this section, we give a precise definition of the syntax and semantics 
of a propositional temporal logic of actions, PTLA. This logic, although 
not introduced in [Lam90], is a formalization of Lamport's approach in a 
propositional setting. 

3.1 Syntax 

We have a countably infinite collection of proposition symbols Pq, Pi, P2, ■ ■ ■ 
and a countably infinite collection of action symbols Aq, A\, A2, .... 

A state predicate is a boolean combination of proposition symbols. (We 
use the boolean connectives false, and A, and view the connectives V, =$■, 
and = as abbreviations.) If P is a state predicate, then P' is a primed state 
predicate. An action is a boolean combination of state predicates, primed 
state predicates, and action symbols; thus, in particular, a state predicate is 
an action. This repertoire of actions is richer than that allowed in Hennessy- 
Milner logic (where only action symbols are considered); on the other hand, 
the regular expressions and the context-free grammars of dynamic logic do 
not seem necessary here. 

A formula of the logic is: 

• a state predicate; 

• [A], where A is an action; 

• a boolean combination of formulas; or 

• DP, where F is a formula. 

We also write (A) for -■[-■A], and OP for -.D-.P. 
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Throughout, we use the letters 0, P, Q, and R for state predicates, A 
and B for actions, and F and G for arbitrary formulas. 

Lamport's logic also includes action formulas, for example of the form 
A = B. For simplicity, we do not allow these formulas, as it is possible to 
use paraphrases, such as = [B]) for A = B. 

The primitive action symbols Ao, A\, A2, ... were not needed in the ex- 
ample of Section 2, and hence some motivation for them is in order. Often an 
action cannot be expressed as a boolean combination of state predicates and 
primed state predicates, because we have not been given a full specification 
of the action, or because the action is essentially first-order, as x' = x + 1. 
In these cases, having action symbols enables us to name the action and 
exploit any known propositional facts about it. For example, if Aq stands 
for x' = x + 1, Po for x = 0, and Pi for x = 1, then P[ is x' = 1, and we 
can write and use Po A Ao =>■ P{; alternatively, O[P 0 A Ao =>■ P[] achieves 
the same effect. 

3.2 Semantics 

The semantics of the temporal logic of actions resembles those for other 
linear-time temporal logics. The novelties concern the meaning of the for- 
mulas of the form [A]. 

An interpretation is a pair (S,I) where 

• S is a non-empty set; an element of S is called a state, and S is called 
a state space; 

• I is a pair of mappings I p and I a , which assign to each proposition 
symbol a subset of S and to each action symbol a subset of S X S, 
respectively; intuitively, I p {Pi) is the set of states where P; is true, 
and I a (Ai) is the set of pairs of states related by A{. 

Sometimes we omit mention of S, and simply refer to / as the interpretation. 
We extend the mapping I p to all state predicates, by setting: 



I p { false) 
I P (PAQ) 



A 



0 

S Oi p (P) 

i P (P)ni p (Q) 



A 



A 



Then we extend the mapping I a to all actions, by setting: 




A 



I P (P) x S 
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I a (P') ± SxI p (P) 
I a (^A) = SxSo/„(A) 
IJAAB) = I a (A)nI a (B) 

A behavior over S is an infinite sequence of elements of S. If a is the 
behavior so,s\,S2, . . ., we denote s 4 - by and s 4 -, s;+2 5 • • • by <7 + \ We 
say that a is halted if <7o = <7; for all i. If a is not halted, we write [J,(cr) for 
the least i such that <7o 7^ <7;. 

A model is a triple (S,/, <r), where (S,/) is an interpretation and a is 
a behavior over S. We define the satisfaction relation between models and 
formulas inductively, as follows: 

(S,I,a)\=P j = aoelpiPj) 

(S,/, a) |= [A] = either a is halted or (<7o, (J^^j) G 

(S, /, a) |= /a/se = false 

(S,I,a)\=^F 4 (S,J»^F 

(S,i» |= FAG = (S,i» |= F and (S,i» |= G 

(S, J, a) |= = for all i, (S, J, ct +8 ) |= F 

For example, (S, /, a) |= [fa/se] if and only if a is halted. 
The formula F is satisfiable if there exist (S, /, <r) such that (S, /, a) |= F. 
The formula i* 1 is valid if (S, /, <r) |= F for all (S, /, <r); we write this |= F. 



4 A Complete Proof System 



In the first subsection we give our axioms, and then we list some of their 
consequences. Finally, we prove the completeness of the axioms. 



4.1 The System 

The temporal logic of actions is an extension of the common temporal logic 
with the single modality □. Accordingly, we are going to base our axiom- 
atization on a usual one, a system known as D (in [HC68]) or S4.3Dum 
(in [Gol87]). The axioms and rules for D are: 

1. h a(F ^G)^ (OF =s> DG) 
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2. h OF =>■ F 



3. h DF =>■ DDF 

4. h □(□F G) V D(DG => F) 

5. h □ (□(F DF) F) (ODF F) 

6. If h F then h DF. 

7. If F is an instance of a propositional tautology then h F. 

8. If h F and hF=>G then h C 

Axiom 4 is a classical way to express that time is linear — that any two in- 
stants in the future are ordered. Axiom 5, indirectly attributed to Geach 
in [HC68], is a simplification of the original □(□(F =>• DF) =>- F) =>• 
(ODF =>■ DF), due to Dummett and Lemmon; Axiom 5 expresses the dis- 
creteness of time. 

We introduce some axioms about actions: 



9. h [false] [A] 




10. h -n[/a/se] [P] = P 




11. h -.[/a/se] [-.A] = 




12. h [A A 5] = [A] A [B] 




13. h [(^P)'] ee hP'] 




14. h [(P A Q)'] = [P'AQ'} 




15. h DP =>■ [P'] 




16. h D(P (([P'] A G) V DC)) (([P r 


] AG) ^ UG) 


Axiom 16 can be paraphrased as follows: 


suppose that whenever P holds 



either G holds and P survives the next state change, or G is true forever; 
thus, G holds for as long as P holds, and becomes true forever if P stops 
holding; hence, if G is true initially and P is true after the first state change 
then G is always true. All the other axioms are rather straightforward. 

Our axiomatization could perhaps be simplified. It is worth recalling, 
however, that a less expressive logic does not always have a simpler proof 
system. For instance, the system for temporal logic with "next" is simpler 
than D [GPSS80], yet the "next" modality increases the expressiveness of the 
logic and its complexity (from coNP-complete to PSPACE-complete [SC85]). 
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4.2 Some Consequences of the Axioms 

Some interesting consequences of the axioms are important in our complete- 
ness proof. We list and explain a few here. 

• h [false] (F = OF) A (F = OF) 

The formula expresses that once the computation has halted, all facts 
are permanent, meaning that F, OF, and OF are equivalent for all F. 

• h (P') OP 

In words, if the computation has not halted and the next action is P' , 
then P holds eventually. This formula embodies the simplest method 
for proving liveness properties. 

• h P A D(P =$► [P']) =$► OP 

This predictable induction principle follows directly from Axiom 16, 
when we instantiate G to P. 

• h [P'} A OG =^GV 0(P A OG) 

The theorem is another consequence of Axiom 16. It says if the action 
P' is about to take place (unless the computation halts) and G must 
hold eventually, then either G is true now, or P holds eventually and 
G holds later. 

• h (P A OG A o(P A OG [P'])) 0(P A G) 
This is the dual to Axiom 16. 

4.3 Soundness and Completeness 

Theorem 1 (Soundness and Completeness) |= F O h F 

A simple induction on proofs shows that if h F then |= OF. It follows 
that if h F then |= F; thus, h is sound. The other direction of the claim 
(completeness) is more delicate, and the rest of this section is devoted to it. 

Before embarking on the proof, we should recall a classical completeness 
theorem for D. The theorem says that if a formula G is not provable then 
->G has a model. In fact, a model can be obtained from a structure of a very 
special form, known as a balloon. A balloon consists of a sequence of states 
s o 5 s i 5 s 2 5 • • • i s m 5 the string, and a set of states {to, t\, <2, • • • , t n }, the bag. 
(Without loss of generality, the states can be taken to be all distinct.) An 
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interpretation gives values over these states to all the proposition symbols 
in G. With this interpretation, any sequence 

-So , • • • , S m , t{ 0 , . . . , t{ k , . . . 

provides a model for ->G, if all of 0, . . . , n occur in io, . . . , i^, . . . infinitely 
often. Thus, a model is obtained from the balloon by linearizing the bag in 
any way whatsoever. This and similar constructions appear in [Gol87]. 

A formula holds at a state s in a behavior if it holds in the suffixes of 
the behavior that start with s. A formula holds at a state s in a balloon if 
it holds at s in all linearizations of the balloon. In both cases, we may also 
say that s satisfies the formula. 

The basic strategy of our completeness proof is as follows. For every G, 
let G* be the formula obtained from G by replacing each subformula of the 
form [A] with a fresh proposition symbol; thus, ( )* is a translation into a 
classical temporal formalism, with no actions. Assume that \f F; we want 
to show that F. That is, we want to find a model (S,/, a) that satisfies 
->F. If \f F then \f (X =>■ F), where X is any formula provable in PTLA 
(we will specify the choice of X below). A fortiori, (X =>■ F) cannot be 
derived using only the D axioms; because D does not have axioms about 
actions, it follows that (X =>■ F)* cannot be derived in D. Thus, by the 
completeness of D, there must be a balloon B and an interpretation that 
satisfy ->(X =>■ F)*. Obviously, X* and ->F* are also satisfied. The balloon 
and the interpretation will be useful in constructing a model for ->F. 

It is straightforward to choose X so that the proposition symbols that 
occur in F also occur in ->(X =>■ F)*; hence the interpretation that satisfies 
->(X =>■ F)* over B must assign truth values to these proposition symbols. 
Naturally, if the proposition symbol [A]* is mentioned in our completeness 
argument then it will occur in X* (otherwise we could not say much about 
[A]*); therefore, the interpretation must also assign a truth value to [A]*. 
These properties of the interpretation will serve in defining the desired /. 

In the course of the proof, we rely on the fact that each state in B satisfies 
certain theorems of PTLA, or rather their translation under ( )*. The number 
of theorems needed is finite, and their choice depends only on the choice of 
F. (It suffices to consider instances of Axioms 9 to 16 for subexpressions 
of ->F, and some simple boolean combinations of these, sometimes with 
primes.) We take for X the conjunction of all formulas OT, where T is one 
of these necessary theorems. For all practical purposes, from now on, we 
may pretend that we have all the theorems of PTLA at our disposal. 
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For example, the proof of Proposition 1 uses that if Pj occurs in F then 
one of [Pj]* and [(-Pj)']* holds in each state in B. To justify this claim, we 
point out that h [Pj] V [(->Pj)'], and we implicitly include □([Pj] V [(->Pj)']) 
in X . Since B satisfies X*, every state in B satisfies ([Pj] V [("'Pj)'])*, and 
hence one of [Pj]* and [(-'Pj)']*. 

After these preliminaries, we are ready to start the necessary model 
construction. 

Let Pq, . . .,Pk be a list of all the proposition symbols that occur in F. 
An assignment is a conjunction Qo A . . . A Qk such that each Qi is either 
Pi or -iPj-. Given a state s in B, there exists a unique assignment O s that 
holds in s. 

A state of B that satisfies [false]* is called a halting state. We have: 

Proposition 1 For every state s there exists an assignment R s such that 
[R' s ]* holds in s. Moreover, R s is unique if and only if s is not a halting 
state. 

Proof To prove the existence of R s , we first notice that h [Pj] V [("'Pj)'] 
for each proposition symbol Pj, and hence s must satisfy at least one of 
[Pj]* and [(-P,)']*. Therefore, let Qj be one of Pj and -P, such that [Qj]* 
holds at s. If R s is the conjunction of all these Qj's, then [R' s ]* holds at 
s, because the axioms yield h [Q' 0 ] A ... A [Q' k ] = [(Qo A ... A Qk)']- If s 
is not halting then R s is unique because h ->[false] =>■ [-P/] = -[P/] and 
h [-iP/] = [(-Pi)']- If s is a halting state then P s could be any assignment, 
since both h [false] =}► [P/] and h [/a/se] =}► [(-P 8 )']. I 

Given a state s which is not halting, we say that / follows s in B if: 

• / is the first state in the string strictly after s such that Ot = R s , if 
such exists; 

• else, / is a state in the bag and Ot = R s , if such exists; 

• else, / = s if O s = R s . 

Proposition 2 If s is not halting, then some t follows s. 

Proof The axioms yield h [R' s ] A ->[false] =>■ OP s , so s must satisfy this 
formula. Thus, R s must hold at a state in the string strictly after s, or at a 
state in the bag, or at s itself. | 

We proceed to construct the desired behavior a inductively. 
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• Let do be the first state in the string of the balloon, or an arbitrary 
state in the bag if the string is empty. 

• If Gi is a halting state, let <7 8 _|_i = G{. 

• If Gi is not a halting state, let <7 8 _|_i be a state that follows Gi. If possible, 
always pick a state that has not been visited previously. Otherwise, 
pick the state first visited the longest time ago, and start cycling. 

The behavior g ends with a cycle. It may be that this cycle is of length 
one while the single state s in the cycle does not satisfy [false]*. In this 
case, we modify g trivially: we make a copy s of s and have a cycle between 
these two different states. (Of course, s and s are different only formally, as 
they satisfy the same formulas.) This modification is convenient in giving 
a proper meaning to [false]. We do not discuss this minor point in the 
construction further, and leave the obvious details to the reader. 

Let S be the balloon obtained by discarding from B all states not in 
g. More precisely, the bag of S is the set of states that occur in the cyclic 
part of it, and the string of S is the remaining states of a, ordered in the 
order of their occurrence. The bag of S may be a subset of the bag of B. 
It may happen, however, that the bag of S consists of a single state s from 
the string of B (or s and J); this is in the case where either s is halting or s 
is the last state to satisfy R s . 

Next we show that ->F* still holds in S. We strengthen the claim, to 
mention every state and every subformula of ->F* . However, it is not claimed 
that all of the theorems compiled in X still hold at each state in S; this claim 
is not needed. 

Proposition 3 If G* is a subformula of ^F* and s is a state in S, then 
G* holds at s in S if and only if G* holds at s in B. In particular, all 
linearizations of S satisfy ->F* . 

Proof The proof proceeds by induction on the structure of the subfor- 
mula of ->F* . As is common in proofs of this sort, the only delicate argument 
is that subformulas of the form OG* that hold at s in B also hold at s in 
S. (Intuitively, this is because S is a "subballoon" of B.) The argument 
that subformulas of the form OG* that hold at s in S also hold at s in B is 
exactly dual. All other arguments are trivial. 

Within the main induction, we perform an auxiliary induction on the 
distance from the state considered to <S's bag. 
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As a base case, we prove the claim for the states in <S's bag. There are 
several subcases: 

• If <S's bag is a singleton {s}, then s must satisfy [false]*, by construc- 
tion of a. Since h [false] =>- G = OG, if OG* holds at s in £> then G* 
holds at s in B. By induction hypothesis, G* holds at s in S, and by 
temporal reasoning OG* holds at s in S. 

• If <S's bag is a pair then it must be that s is not a halting 
state, and that R s holds in no state after s in £>'s string (if any) 
and in no state in £>'s bag other than s. Furthermore, O s = R s . 
Therefore, s satisfies R s A □(i? s =>■ [-R^])* in B, and hence also OR s , 
since h i? s A □ (i? s =>■ [-R^.]) =>■ Q-R s - Assume that s satisfies OG* in 
B. By temporal reasoning, s satisfies 0(i? s AG*) in £>. But s is the 
last state in B that satisfies R s , and so it must be that s satisfies G*. 
By induction hypothesis, G* holds at s in <S as well, and by temporal 
reasoning OG* holds at s in S. 

• Otherwise, <S's bag is a subset of £>'s bag, and not a singleton. In 
particular, there is no halting state in the bag. Let R be the disjunction 
of all Ot for / in <S's bag. By construction of a, all states in £>'s bag 
that satisfy R are also in <S's bag — the point being that a makes the 
biggest cycle possible. In B, it must be that each of the states in <S's 
bag satisfies □(_/£=>■ [i?'])*. This formula simply says that all states 
in £>'s bag that are also in <S's bag must be followed by another state 
in <S's bag. Moreover, we have that h R A n(R =>• [R']) =>• Di?. This 
yields that each state s in <S's bag satisfies Di? in ^'s bag. Let OG* 
hold at s in £>'s bag. Then, by temporal reasoning, 0(i? A G*) holds 
at s in £>'s bag. In other words, G* holds at some state / in B, and 
/ satisfies R. Since / satisfies R, it must also be in <S's bag. Thus, 
by induction hypothesis, / also satisfies G* in S, and hence s satisfies 
OG* in S. 

Next we consider the states in <S's string. We assume the claim has been 
proved for all states at distance no bigger than n from <S's bag; we consider 
the state s at distance n + 1. Suppose that s satisfies OG* in B and that s 
is in <S's string. Since h [R' s ] A OG =>• G V 0(# s A OG), either G* must hold 
at s, or OG* must hold at the state that follows s, in B. In the former case, 
the complexity of the formula considered has decreased. In the latter case, 
the complexity of the formula considered has remained the same but we are 
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closer to <S's bag, since s is a state in <S's string and / follows s. In either 
case, the induction hypothesis immediately yields the desired result. 

Since all linearizations of B satisfy ->F* , we conclude that all lineariza- 
tions of S satisfy ->F* . | 

The final step in our proof is constructing an interpretation (S,I) and 
checking that (S,/, a) satisfies ->F. 

We take S to be the set of states in B that occur in a. 

Each proposition symbol Pi that occurs in F has a value at each state 
in the balloon. We take I p {Pi) to be the set of states of a where this value 
is true. Similarly, if A{ is an action symbol in F, then the proposition 
symbol [Ai]* has a value at each state in the balloon (because it occurs in 
(X =>■ F)*). We take I a (Ai) to be the set of pairs of states (s,t) such that 
[Ai]* is true in s. Two slight oddities should be noticed here. The first one 
is that we are interpreting an action symbol much as a proposition symbol 
(the second component of the pair, /, plays no role). The second one is that 
if [false]* holds in s then (s,t) G I a (Ai), somewhat arbitrarily. 

All remaining proposition symbols and action symbols can be interpreted 
at will, as they do not affect the meaning of F. 

In order to show that (S,/, a) |= ->F, we prove a stronger proposition: 

Proposition 4 If G is a subformula of ->F and s is a state in a, then G 
holds at s in a if and only if G* holds at s in S. In particular, a satisfies 
->F. 

Proof The proof is by induction on the structure of G. The only 
nontrivial case is for formulas of the form [A]. In this case, we consider 
separately the subcases where [false]* holds at s in S and where it does not. 
In both subcases, we use that some of the theorems compiled in X hold at 
s in S; this is true because the theorems hold at s in B and because they 
are free of □ and O. 

If [false]* holds at s, then [A]* holds at s for every A of interest, since 
h [false] =>■ [A]. Also, if [false]* holds at s, the construction of a yields that 
a loops at s, thus [false] holds at s in a; therefore, [A] holds at s in a for 
every A, by definition of the semantics of [ ]. Thus, [A]* holds at s in S, and 
[A] holds at s in a. 

If [false]* does not hold at s, then we can use the axioms to decom- 
pose A into a boolean combination of proposition symbols, primed propo- 
sition symbols, and action symbols. More precisely, consider the following 
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primitive-recursive function d: 



d([Pi\) 


A 


[Pi\ 




A 


[Pi] 


d([Ai\) 


A 


[M 


d( [false] ) 


A 


false 




A 


-d({A]) 


d([AAB]) 


A 


d([A])Ad([B]) 


dilhP)']) 


A 


d(hP']) 


d([(PAQY]) 


A 


d([P'AQ']) 



One can derive by induction that [A] and are provably equivalent for 

every A: 

h -.[false] [A] = d([A]) 
and this is also valid, of course: 

|= -.[false] => [A] = d([A]) 

Therefore, it suffices to consider [A] in the cases where A is false, a propo- 
sition symbol, a primed proposition symbol, or an action symbol: 

• A = false: We have that s satisfies ^[false]* in S. By construction, a 
does not fall into a loop in s (though it may loop between s and s). 
Therefore, s satisfies ^[false] in a. 

• A = P{\ Since h ^[false] =^ [Pi] = Pi, we have that s satisfies [Pi]* 
in S if and only if s satisfies Pi in S. Since |= ^[false] =^ [Pi] = Pi, 
similarly, s satisfies [Pi] in a if and only if s satisfies Pi in a. Finally, 
the definition of I p yields that s satisfies Pi in S exactly when s satisfies 
Pi in a. 

• A = P[: If s satisfies [P']* in S, then Pi is one of the conjuncts in the 
assignment R s . In the construction of a, the state immediately after 
s must satisfy R s , and hence Pi. Therefore, the semantics yields that 
s satisfies [Pf] in a. Conversely, suppose that s does not satisfy [P']* 
in S; then -iP 4 - is one of the conjuncts in the assignment R s . In the 
construction of a, the state immediately after s must satisfy R s , and 
hence -iP 4 -. Therefore, the semantics yields that s satisfies [( _1 P 8 ') / ] and 
not [Pf] in a. 
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• A = A{\ The definition of I a is designed to make this case trivial. 
We derive that (S,I, a) |= ->F, as a special case. | 

This concludes the completeness proof. It follows from the proof that 
PTLA possesses a finite model property, and hence it is decidable. In fact, it 
seems likely that the validity problem for PTLA is decidable in polynomial 
space. 

5 Conclusions 

We have presented a complete proof system for a propositional temporal 
logic of actions, PTLA. Lamport has considered extensions of the basic tem- 
poral logic of actions, and it seems worthwhile to search for axiomatizations 
of some of them as well. 

The simplest extension consists in adding formulas of the form [^4]p 0 ,...,p„ 
to the logic; this yields the general temporal logic of actions. Roughly, 
[^■]po,— ,-Pn says that the action A will take place the next time that one of 
Po, . . . , P n changes value. A further extension consists in adding existential 
quantification over propositions, for hiding internal state. These extensions 
make it possible to formulate proofs that a program implements another pro- 
gram, and lead to a simple compositional semantics for concurrent systems. 
As the logic becomes more powerful, however, it becomes more difficult to 
choose appropriate proof principles. A complete axiomatization might help 
in this choice. 
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